Management Incident Lightweight Exchange (MILE) Implementation Report
draft-ietf-mile-implementreport-10

[Ballot comment]
Nevile Brownlee performed the opsdir review. I don't think the draft is entirely ready to publish and I hope some editing will ensue but I that in the hands of shepherd, and responsible AD.

Hi all:

I have performed an Operations Directorate review of
  draft-ietf-mile-implementreport-09

  "This document is a collection of implementation reports from vendors,
  consortiums, and researchers who have implemented one or more of the
  standards published from the IETF INCident Handling (INCH) and
  Management Incident Lightweight Exchange (MILE) working groups."

This draft is a collection of information about Security Incident
reporting protocols, and the implementation of systems that use them
to share such information.  It is simply a collection of information,
it makes no attempt to compare the various standards or implementations.
As such, it will be of interest to Network Operators who wish to collect
and share such data.

Operationally, Operators would need to decide which incident data
collection group they want to be part of, that choice will strongly
influence their choice of reporting protocol and applications to
gather and distribute the data.

The draft seems (to me) to need quite a bit of copy-editing, I list
a few changes and suggestions below ...

S1  RFC5070-bis.  Is there an Internet Draft about this, or some other
      document you could reference?  It's mentioned again in section
      3.1, but there's nothing about it in the References section.

S2.1  s/provides a solutions/provides solutions/
S2.3  s/IODEF formatted-message to/IODEF formatted-messages to/
      s/by REN-ISAC are designed/by REN-ISAC is designed/

S3.2  "IODEF-SCI is the IETF draft"  there's no reference to such a
      draft, there should be.
      "It also equips the interface ..."  Exactly what does this mean?

S4.2.2 s/prevents from accidentally/prevents accidentally/
      s/ensure it is a well formed format/
        ensure it is well formed/

S5.1  "General availability of Threat Central will
      be in 2014."
      It's now well into 2016 - this needs updating!

Overall, I think the material in this draft is interesting, but it
needs quite a bit of tidying/updating to get it ready for publishing.

Cheers, Nevil

--
---------------------------------------------------------------------
Nevil Brownlee                          Computer Science Department
Phone: +64 9 373 7599 x88941            The University of Auckland
FAX: +64 9 373 7453  Private Bag 92019, Auckland 1142, New Zealand

_______________________________________________
OPS-DIR mailing list
OPS-DIR@ietf.org
https://www.ietf.org/mailman/listinfo/ops-dir

[Ballot comment]
Having an implementation report that actually provides references to available
code is useful - as long as there is some permanence to the links.

[Ballot comment]

I concur with Alvaro and Ben on this one. There is too much that is
too close to marketing text and that would not really help an
implementer or someone investigating these RFCs, or someone further
developing those RFCs.

It seems to me that only sections 7.1 and 7.4 contain the kind of
information that I'd expect to find in an RFC like this. As far as I
can see only those two sections actually refer to sections of, or
content from, the RFCs concerned in a way that is useful to document
in an RFC.

I also could not access the URL in section 1. That seems like it
really would need fixing.

(I will admit that I may be somewhat biased here - IMO any document
with 26+ occurrences of the string "cyber" is likely not a good
candidate for an RFC;-)

[Ballot comment]
I'm going to have to agree with Alvaro on this one. I do not understand the purpose of publishing this, since it seems to be a snapshot of an moving target. It will be out of date very quickly. I don't see how that is helpful, and can imagine it might be harmful if future readers treat this as current information.  A paragraph or two about why is valuable as an RFC might help.

This is reminiscent of an RFC 6982 "implementation status section", but that RFC explicitly recommends such sections be removed before publication.

In any case, I also cannot load the page referenced at the end of section 1. Hopefully that's a transient problem, but please make sure at the end of section 1 works prior to publication.  (And hopefully forever if the resulting RFC continues to reference it.)

[Ballot comment]
I'm going to have to agree with Alvaro on this one. I do not understand the purpose of publishing this, since it seems to be a snapshot of an moving target. It will be out of date very quickly. I don't see how that is helpful, and can imagine it might be harmful if future readers treat this as current information. 

This is reminiscent of an RFC 6982 "implementation status section", but that RFC explicitly recommends such sections be removed before publication. A paragraph or two about why is valuable as an RFC might help.

In any case, I also cannot load the page referenced at the end of section 1. Hopefully that's a transient problem, but please make sure at the end of section 1 works prior to publication.  (And hopefully forever if the resulting RFC continues to reference it.)

[Ballot comment]
I think that this document is already outdated and that it doesn't have any archival value — I am then ABSTAINing.

I like the fact that the authors provide a link to a "more complete list of implementations", which (in my opinion) results in the archival value of this document to be lowered even more. [However, the link didn't load for me. :-(]

The information in Section 5.1. (Threat Central, HP  -- picking on this section just because it is the first one) reads like a marketing brochure ("…a security intelligence platform that enables automated, real-time collaboration between organizations to combat today's increasingly sophisticated cyber attacks…"), and it provides information that is obviously not current: "General availability of Threat Central will be in 2014".

[Ballot comment]
Nevil Brownlee performed the OPS DIR review. Here is his feedback.

I have performed an Operations Directorate review of
  draft-ietf-mile-implementreport-09

  "This document is a collection of implementation reports from vendors,
  consortiums, and researchers who have implemented one or more of the
  standards published from the IETF INCident Handling (INCH) and
  Management Incident Lightweight Exchange (MILE) working groups."

This draft is a collection of information about Security Incident
reporting protocols, and the implementation of systems that use them
to share such information.  It is simply a collection of information,
it makes no attempt to compare the various standards or implementations.
As such, it will be of interest to Network Operators who wish to collect
and share such data.

Operationally, Operators would need to decide which incident data
collection group they want to be part of, that choice will strongly
influence their choice of reporting protocol and applications to
gather and distribute the data.

The draft seems (to me) to need quite a bit of copy-editing, I list
a few changes and suggestions below ...

S1  RFC5070-bis.  Is there an Internet Draft about this, or some other
      document you could reference?  It's mentioned again in section
      3.1, but there's nothing about it in the References section.

S2.1  s/provides a solutions/provides solutions/
S2.3  s/IODEF formatted-message to/IODEF formatted-messages to/
      s/by REN-ISAC are designed/by REN-ISAC is designed/

S3.2  "IODEF-SCI is the IETF draft"  there's no reference to such a
      draft, there should be.
      "It also equips the interface ..."  Exactly what does this mean?

S4.2.2 s/prevents from accidentally/prevents accidentally/
      s/ensure it is a well formed format/
        ensure it is well formed/

S5.1  "General availability of Threat Central will
      be in 2014."
      It's now well into 2016 - this needs updating!

Overall, I think the material in this draft is interesting, but it
needs quite a bit of tidying/updating to get it ready for publishing.

[Ballot comment]
One high level comment: I personally would rather see this as an appendix of RFC5070bis than an own document.

Minor comments:
- Please add a refernce to RFC5070-bis

- http://siis.realmv6.org/implementations/ - this link did not work for me. Should this information be hosted somewhere, were long-time hosting is guaranteed?

- I don't understand the following sentence; is there a reference missing?
  "IODEF-SCI is the IETF draft that extends IODEF so that IODEF document can embed structured cybersecurity information (SCI)"

- What is the following sentence suposed to tell me?
  "Note that users can enjoy this software with their own responsibility."

- draft-field-mile-rolie-02 should also be a real reference; and maybe "XEP-0268 (http://xmpp.org/extensions/xep-0268.html)" as well? In general check references where needed.

- This is in the past: "General availability of Threat Central will be in 2014"

- There are also a couple of other nits (e.g. missing articles) that probably will be fixed by the RFC editor, but maybe double-check if you do an update.

[Ballot comment]
One high level comment: I personally would rather see this as an appendix of RFC5070bis than an own document.

Minor comments:
- Please add a refernce to RFC5070-bis
- http://siis.realmv6.org/implementations/ - this link did not work for me. Should this information be hosted somewhere, were long-time hosting is guaranteed?
- I don't understand the following sentence; is there a reference missing?
  "IODEF-SCI is the IETF draft that extends IODEF so that IODEF document can embed structured cybersecurity information (SCI)"
- What is the following sentence suposed to tell me?
  "Note that users can enjoy this software with their own responsibility."
- draft-field-mile-rolie-02 should also be a real reference; and maybe "XEP-0268 (http://xmpp.org/extensions/xep-0268.html)" as well? In general check references where needed.
- This is in the past: "General availability of Threat Central will be in 2014"
- There are also a couple of other nits (e.g. missing articles) that probably will be fixed by the RFC editor, but maybe double-check if you do an update.

[Ballot comment]
One high level comment: I personally would rather see this as an appendix of RFC5070bis than an own document.

Minor comments:
- Please add a refernce to RFC5070-bis
- http://siis.realmv6.org/implementations/ - this link did not work for me. Should this information be hosted somewhere, were long-time hosting is guaranteed?
- I don't understand the following sentence; is there a reference missing?
  "IODEF-SCI is the IETF draft that extends IODEF so that IODEF document can embed structured cybersecurity information (SCI)"
- What is the following sentence suposed to tell me?
  "Note that users can enjoy this software with their own responsibility."
- draft-field-mile-rolie-02 should also be a real reference; and maybe "XEP-0268 (http://xmpp.org/extensions/xep-0268.html)" as well? In general check references where needed.
- This is in the past: "General availability of Threat Central will be in 2014"
- There are also a couple of other nits (e.g. missing articles) that probably will be fixed by the RFC editor, but maybe double-check if you do an update.

(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-mile-implementreport-09.txt, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any IANA actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, IANA does not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
IANA Specialist
ICANN

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: mile-chairs@tools.ietf.org, takeshi_takahashi@nict.go.jp, Kathleen.Moriarty.ietf@gmail.com, mile-chairs@ietf.org, mile@ietf.org, draft-ietf-mile-implementreport@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (MILE Implementation Report) to Informational RFC


The IESG has received a request from the Managed Incident Lightweight
Exchange WG (mile) to consider the following document:
- 'MILE Implementation Report'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2016-06-21. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document is a collection of implementation reports from vendors,
  consortiums, and researchers who have implemented one or more of the
  standards published from the IETF INCident Handling (INCH) and
  Management Incident Lightweight Exchange (MILE) working groups.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-mile-implementreport/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-mile-implementreport/ballot/


No IPR declarations have been submitted directly on this I-D.

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

Changes are expected over time. This version is dated 24 February 2012.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)  Why
is this the proper type of RFC  Is this type of RFC indicated in the
title page header

  Informational RFC is requested, and this is indicated in the title page header.
  This draft does not propose any common interfaces, but it supports the implementation of IODEF-related tools.
  The WG believes that this falls within the scope of informational RFC.


(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the Action announcements for approved
documents. The approval announcement contains the following sections

Technical Summary

  This document is a collection of implementation reports from vendors,
  consortiums, and researchers who have implemented one or more of the
  standards published from the IETF INCident Handling (INCH) and
  Management Incident Lightweight Exchange (MILE) working groups.


Working Group Summary

  The content of this doument has evolved following the development of RFC5070-bis draft.
  The rough consensus on this draft was to finalize this draft just after the content of RFC5070-bis draft is finalized.
  The RFC5070-bis draft has already completed the WGLC by April, thus the WG agreed to proceed toward the publication of this document.

Document Quality

  This document lists lots of implementation instances.
  The sentences for each implementation instance were reviewed by the original implementor organizations.

Personnel

  Takeshi Takahashi is the Document Shepherd and Kathleen Moriarty is the Responsible Area Director

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

  I believe this document is ready for publication.
  The initial version of this draft was proposed on Feb, 2014.
  Only the major change the document has experienced is the inclusion of the sentences on implementation experience at the end of 2014.
  Until that time, the document focused on listing existing implementation, but after that, it included some implementation tips earned from real implementation experiences.
  Until now, the document was reviewed by the WG, and no objection were raised; the WG has been acknowledging their efforts in each meetings.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed

  No.
  The purpose of this document is evangelizing the efforts of RFC 5070-related activities.
  For this purpose, the depth or breadth of the reviews were adequate.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization If so, describe the review that
took place.

  The document has been already reviewed by experts from different areas, but it would be always nice to have more eyes on this.


(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director andor the
IESG should be aware of For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

  No serious issue is found.
  Only the concern I had was the distinction between this draft and the IODEF Usage Guidance draft (https://datatracker.ietf.org/doc/draft-ietf-mile-iodef-guidance/), but the distinction is currently clear.


(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

  Chris Inacio and Daisuke Miyamoto have declared that this draft has no IPR-related issues so long as they know.


(8) Has an IPR disclosure been filed that references this document
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  No.


(9) How solid is the WG consensus behind this document Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it 

  During two year discussion of this draft, the list of implementations in this document was expanded in a constructive manner.
  The MILE WG is rather small, and that helped the WG as a whole to understand and agree with it.


(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

  No.


(11) Identify any ID nits the Document Shepherd has found in this
document. (See https://www.ietf.org/tools/idnits and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

  This document is ID-nits friendly.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

  This document does not have any issue that require any external formal review, such as MIB Doctor, media type, and URI type reviews.


(13) Have all references within this document been identified as
either normative or informative

  This document has 11 informative references, and no normative reverences are found.


(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state If such normative
references exist, what is the plan for their completion

  Such normative reference does not exist in this document.

(15) Are there downward normative references references (see RFC 3967)
If so, list these downward references to support the Area Director in
the Last Call procedure.

  No


(16) Will publication of this document change the status of any
existing RFCs Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

  No


(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

  This document includes no request to IANA, and this is correct.


(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

  There exist no such registries.


(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

  There is no such section in this document.